SharpHound Recon Assault – How AI enhanced the menace hunt

Cisco Dwell AMER 2026 was the proper place to place the Agentic SOC to work, defending the attendees and convention infrastructure. We innovated by giving the Agentic SOC entry to Endace’s always-on, full packet seize, and requested the agent to evaluate a possible SharpHound Recon assault that we had seen whereas menace looking. Inside minutes, the agent returned an correct and descriptive evaluation of the menace, concluding that it was a benign close to miss. This saved us many hours of labor, giving us confidence that the Agentic SOC can be a large enhance to safety and productiveness. This weblog explores how we constructed the integrations and the way AI helped us with our menace hunt and menace evaluation.
Full Packet Knowledge – A gold mine for Agentic AI
At Cisco Dwell AMER 2026 we deployed always-on, full packet seize as a supply of forensic proof, built-in with Agentic AI, to assist the convention SOC directives of Shield, Educate, and Innovate. At all times-on, full packet seize supplies distinctive perception into all exercise on the community, delivering crucial context and proof for Incident Response and Risk Searching groups, in addition to an unmatched knowledge lake of all community exercise for the emergent Agentic SOC.
The problem when human analysts analyze packet knowledge is whether or not they have the experience and expertise to interpret and perceive what packets are telling them: as a result of not everyone seems to be a packet guru.
To make full use of this wealthy community knowledge, we determined to combine Endace full packet seize with the Agentic AI capabilities constructed into Cisco XDR and Splunk Enterprise Safety, together with our customized agentic instrument. The purpose was to empower our incident responders with highly effective proof and reasoning to expedite the decision-making for suspicious exercise. A few of our analysts had been spending their first day ever in a SOC, so our purpose was to assist them be productive rapidly utilizing Agentic AI. This was additionally a fantastic alternative to know how Agentic AI helps productiveness within the SOC.
Agentic AI Augmented Structure
Our Agentic SOC Structure is a pure evolution of the SOC Structure now we have been deploying for the final a number of years, closely leveraging telemetry and insights derived from community knowledge we monitor, analyze and seize all through every occasion. We depend on logs generated by Cisco Firepower, Safe Community Analytics, Safe Entry, AI Protection, Splunk Assault Analyzer, Safe Malware Analytics, and EndaceProbe (which additionally generates Zeek logs and reconstructs file content material from the packet knowledge it information). Splunk Enterprise Safety was the repository for all these logs and knowledge, whereas EndaceProbe was the repository for full packet knowledge for your entire week of the occasion.
We applied a Mannequin Context Protocol (MCP) server for Endace to combine with Cisco Cloud Management, permitting us to construct Agentic AI integrations with Splunk, Cisco XDR and different parts of the SOC (see Baz Shaw’s weblog for extra element: Cisco Dwell 2026 – Utilizing LLMs and Endace Full Packet Seize for Incident Response).
With the Endace MCP server in place, we constructed a light-weight Agentic Tier-2 SOC analyst that consumes a single XDR incident and investigates it end-to-end. It builds on the agentic capabilities already in our merchandise. Below the hood, it combines the Endace MCP (for packet seize and decode) with a Splunk MCP (for querying the Zeek logs and different indexes) and the Cisco XDR APIs (for incident, asset, and observable context), all orchestrated by a reasoning agent that we tailor-made with Cisco Dwell context — the venue’s IP ranges, the Splunk index structure, and the SOC’s guidelines of engagement. The result’s a single entry level: give it an incident ID, and it pulls the XDR context, retrieves the related Endace packets, runs focused Splunk queries, and returns a structured report. (For the complete structure of the instrument and the way we constructed it, see the deep-dive: “AIM — Constructing an Agentic Tier-2 SOC Analyst at Cisco Dwell AMER 2026.”)
Investigating a Potential SharpHound Assault
At every SOC occasion we spend a few of our time being curious and menace attempting to find suspicious exercise. Beforehand we had seen insecure AD as a severe menace to some attendees at one other Cisco Dwell occasion, so we determined to take one other look, first utilizing people somewhat than Brokers.
Reviewing the packet knowledge from three days of convention exercise, we rapidly discovered a number of LDAP periods initiated within the clear by attendee gadgets. In whole, 48 gadgets had been making an attempt to provoke LDAP binds to exterior LDAP servers utilizing each IPv4 and IPv6 addresses.
The high-profile group names discovered within the LDAP bind requests had been significantly regarding. We theorized that the conduct of steady makes an attempt at nameless binds could also be an indication of SharpHound reconnaissance. This recon, if profitable, may end up in LDAP enumeration exposing delicate particulars which may be used to compromise a corporation.
Agentic AI Massively Speeds our Evaluation
At this level, we determined to make use of Agentic AI capabilities to analyze and assess this potential menace. Our first step was to create an incident in Cisco XDR. The incident included an outline, the incident time, and an IP tuple and port. Then the XDR Assault Storyboard kicked in as the first agent, delivering an computerized first-pass evaluation of the incident. Constructing on high of that evaluation, our Tier-2 agent (AIM) took it additional — working the incident in levels and deciding every subsequent step primarily based on what the earlier one returned (really agentic). First, it learn the XDR incident context, then pivoted to Endace full packet seize to drag the precise LDAP/389 session (inside an analyst-approved 15-minute seize window) after which gathered extra supporting proof from Splunk logs, all autonomously.
Inside a couple of minutes we had been offered with a well-written report that described the incident, knowledge gathered, reasoning, evaluation, and disposition together with the following steps. For first-time analysts particularly, this was a goldmine — the Agent interpreted the packets by itself, doing the laborious half. As SOC analysts, we might evaluate the Agent’s work and take the following steps.
The Agent additionally produced step-by-step execution logs; each question and determination — so the complete reasoning path may be handed to Tier-3 if escalation is ever wanted — exhibiting precisely the way it reached its conclusion. It even zoomed out to verify different attendees within the later time window: a blast-radius verify, performed routinely. On this case, the incident was benign, and the advice was to shut it as a benign/near-miss. As a result of we offer the Agent with entry to At all times-On, full packet knowledge, it was in a position to evaluate all packet knowledge to map out the blast radius completely and assess all incidents of this menace.
Constructing Abilities
It was significantly encouraging to see the agent first fail, then study from its mistake. Initially it blended up “occasion time” and “first-seen” time. On the primary move, it discovered no packet proof as a result of it was looking for the mistaken time interval. On the second move, it discovered to make use of the “first-seen” time, discovered the packet proof, and wrote that lesson again into its ability file so it will know for subsequent time.
Conclusion
The Agentic SOC, mixing Agentic AI constructed into Endace’s merchandise with customized agentic instruments, is a large enhance to productiveness and safety. The well-reasoned assessments it supplies permit us people to make quick and strong selections. This, in flip, permits us to focus our valuable time on essentially the most severe threats.
Acknowledgements
Our thanks go to the Cisco SOC crew led by @Jessica Oppenheimer and @Ivan Berlinson for the chance to combine EndaceProbes with the Cisco Dwell Agentic SOC structure. The SOC crew is a set of Cisco and Splunk consultants throughout many domains who had been a pleasure to work and innovate with, and we got here away with a fantastic appreciation for the facility of the Cisco Safety and Splunk instruments. The Endace and Cisco groups had been in a position to show out integration improvements and check them in earnest in a real-world setting in preparation for making them usually accessible to the market.
Take a look at the blogs by the engineers who labored contained in the SOC at Las Vegas:

